Protect the attachments directory on NGINX

NGINX works differently from Apache web server, and ignores the .htaccess rules that we add to protect the attachments directory. This means that people without access to your server may be able to download PDF invoices stored in the temporary attachments folder by trying likely filenames in the URL.

To protect your attachments directory you have two options, using a filter to change the default path or adding a location rule directly in the NGINX domain configuration file.

You just need to place the code snippet below inside your theme functions.php file:

add_filter('wpo_wcpdf_tmp_path', function( $tmp_base ) {
	 * This is an example of a path, please check your current server directory structure.
	 * It's recommended to have it outside the /public/ directory.
	$tmp_base = '/home/domains/';
	return $tmp_base;

Alternatively you could use dirname(ABSPATH); to determine the path:

add_filter('wpo_wcpdf_tmp_path', function( $tmp_base ) {
    return trailingslashit(dirname(ABSPATH)).'woocommerce-invoices/';

If you manage or have root access to your server you can add the rule below inside your domain configuration file:

location ~* /wpo_wcpdf/.*\.pdf$ {
    deny all;

Restart your web server:

server nginx restart

If you don’t have access to this file, please contact you hosting service provider and share this guide with them.